Privacy Policy

Effective Date: 19 May 2026 | Version: 1.0

1. Introduction

This Privacy Policy informs you about the processing of personal data in connection with the use of the couchHelp platform (hereinafter referred to as the "Platform" or "we"). couchHelp is an AI-powered assistance platform for coaches working within the framework of the Activation and Placement Voucher (AVGS — Aktivierungs- und Vermittlungsgutschein).

The protection of your personal data is important to us. We process your data exclusively on the basis of legal provisions, in particular the General Data Protection Regulation (GDPR / DSGVO), the Federal Data Protection Act (BDSG), and other applicable data protection regulations.

2. Data Controller

Controller within the meaning of the GDPR:

couchHelp Email: privacy@couchhelp.click

For data protection inquiries, a contact person is available at the email address provided above.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

Email address
First and last name
Organization / coaching entity name (optional)
Password (stored encrypted)
Creation date and last login

3.2 Usage Data

Interactions with the AI assistant
Log data: IP address, browser type, operating system, timestamps
Error and diagnostic information
Platform features used

3.3 Client Data

This data is entered voluntarily by you as a user into the Platform and includes:

Name and contact details of your clients
Communication history (WhatsApp messages, notes)
Commitment and promise tracking ("Promises")
AVGS-related information
Session protocols and reports

Important Note: You as the user are responsible for the lawfulness of entering and processing this client data. You must ensure that your clients are informed about the processing of their data and that their consent is obtained where required.

4. Purposes of Data Processing

We process your data for the following purposes:

Provision of the Platform: Enabling the use of all couchHelp features, including AI-powered text drafts, client management, and WhatsApp integration.
Contract Performance: Fulfilling our contractual obligations towards you as a user.
Quality Improvement: Analysing usage to improve our services, fix errors, and develop new features.
Security: Detecting and preventing misuse, unauthorised access, and security incidents.
Communication: Responding to inquiries and sending service notifications.

5. Legal Basis for Processing

The processing of your data is based on the following legal grounds pursuant to Art. 6 GDPR:

Art. 6(1)(b) GDPR (Contract performance): The processing is necessary for the performance of the user agreement between you and couchHelp.
Art. 6(1)(f) GDPR (Legitimate interests): Processing for security, quality improvement, and fraud prevention is based on our legitimate interest in the secure and functional operation of the Platform.
Art. 6(1)(a) GDPR (Consent): Where required, we obtain your explicit consent, e.g. for certain cookies or marketing communications.

6. Sub-Processors

To provide our services, we use the following sub-processors:

Sub-Processor	Location	Processing Purpose	Data Processed	Data Location
Supabase Inc.	San Francisco, USA (Database: Frankfurt, Germany)	Database storage, authentication	Account data, client data, usage data	Frankfurt, Germany
Anthropic PBC	San Francisco, USA	AI text processing, classification, draft generation	Message content, client data (pseudonymised for processing)	USA
Vercel Inc.	San Francisco, USA	Hosting, CDN, web application delivery	IP addresses, log data, page content	USA / EU (edge locations)
Clerk Inc.	San Francisco, USA	User authentication, session management	Email address, name, session data	USA
Meta Platforms Ireland Ltd.	Dublin, Ireland	WhatsApp Business API integration	Phone numbers, message content	Ireland / EU

Sub-Processor Details

Supabase Inc.

Location: Database instances in Frankfurt, Germany
Contract: Data Processing Agreement (DPA) pursuant to Art. 28 GDPR
Certifications: ISO 27001, SOC 2
Retention: As long as your account is active + 30 days after deletion

Anthropic PBC

Location: San Francisco, USA
Contract: DPA with Standard Contractual Clauses (SCCs)
Note: Data may be transferred to the USA for AI processing
Retention: Temporary during processing, no permanent storage

Vercel Inc.

Location: USA and global edge locations
Contract: Standard Contractual Clauses (SCCs)
Function: Hosting of the Next.js application, CDN
Retention: Log data 30 days

Clerk Inc.

Location: USA
Contract: Standard Contractual Clauses (SCCs)
Function: Authentication, user management
Retention: As long as your account is active + 30 days

Meta Platforms Ireland Ltd.

Location: Ireland (EU)
Contract: WhatsApp Business Solution Terms
Function: WhatsApp message sending and receiving
Retention: According to Meta's privacy policy

7. International Data Transfers

Some of our sub-processors are based in the USA. When transferring personal data to the USA, we rely on the following safeguards pursuant to Chapter V GDPR:

Standard Contractual Clauses (SCCs): Standard Contractual Clauses of the EU Commission have been concluded with Anthropic PBC, Vercel Inc., and Clerk Inc.
EU-US Data Privacy Framework: Where applicable, we rely on the EU-US Data Privacy Framework, provided the sub-processor is certified.
Additional technical protection measures: We use encryption (TLS 1.3), access controls, and data minimisation to enhance the level of protection.

Note on the Schrems II ruling: In light of the CJEU ruling of 16 July 2020 (Schrems II), we have implemented additional technical and organisational measures to ensure a level of protection equivalent to that in the EU. These include end-to-end encryption during transmission and pseudonymised data processing.

8. Data Retention

We store your data only as long as necessary for the stated purposes or where statutory retention periods apply:

Account data: As long as your account is active + 30 days after account deletion
Client data: As long as required for the provision of the service; deleted immediately upon deletion by the user
Usage data / log data: 30 days (except in the case of security incidents)
Audit logs: 7 years (statutory requirement pursuant to DEKRA/TÜV for AVGS coaching)
Communication data (WhatsApp): According to Meta's terms of use

After the retention periods have expired, your data will be deleted or anonymised, unless legal obligations require longer retention.

9. Data Subject Rights

As a data subject, you have the following rights under the GDPR:

9.1 Right of Access (Art. 15 GDPR)

You have the right to request information about the personal data we store about you at any time. This includes information about the purposes of processing, the categories of data processed, the recipients, and the planned retention period.

9.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate or completion of incomplete personal data.

9.3 Right to Erasure ("Right to be Forgotten", Art. 17 GDPR)

You have the right to request the deletion of your personal data, provided there are no statutory retention obligations or other legal bases for processing.

9.4 Right to Restriction of Processing (Art. 18 GDPR)

Under certain circumstances, you can request the restriction of the processing of your data, e.g. if the accuracy of the data is contested.

9.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format and to transfer it to another controller.

9.6 Right to Object (Art. 21 GDPR)

You can object to the processing of your personal data at any time on grounds relating to your particular situation.

9.7 Exercising Your Rights

To exercise your rights, please send an email to: privacy@couchhelp.click

We will process your request within 30 days. For complex requests, the deadline may be extended by a further 60 days, of which we will inform you.

10. Cookies and Tracking

10.1 Necessary Cookies

These cookies are required for the operation of the Platform and cannot be disabled:

Session cookies: Enable login and session management
Security cookies: Protection against cross-site request forgery (CSRF)

10.2 Analytics Cookies (Optional)

Where activated, we use analytics tools to improve the user experience. These are only set with your explicit consent.

10.3 Cookie Management

You can manage or delete cookies in your browser settings:

Chrome: Settings → Privacy and Security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Settings → Privacy → Cookies and website data

Please note that disabling cookies may restrict the functionality of the Platform.

11. Data Security

We implement appropriate technical and organisational measures to protect your data:

Encryption: TLS 1.3 for data transmission, AES-256 for data at rest
Access control: Role-based access rights (RLS) in the database
Authentication: Secure authentication via Clerk with multi-factor option
Regular security checks: Monitoring for security incidents
Backups: Regular encrypted database backups

12. Data Breaches

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

Inform the competent supervisory authority within 72 hours
Notify you as the data subject without delay if there is a high risk
Take appropriate countermeasures to minimise the risk

13. Contact

If you have any questions about data protection, please contact us at:

Email: privacy@couchhelp.click

We endeavour to acknowledge your inquiry within 48 hours and provide a final response within 30 days.

14. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy as necessary to adapt it to changed legal frameworks or new Platform features. You will be informed of material changes by email or via a notice on the Platform.

Last Updated: 19 May 2026

15. Version History

Version	Date	Changes
1.0	19 May 2026	Initial release